various fixes & updates

templates/firewall.j2

@@ -10,7 +10,7 @@ IPT6=/sbin/ip6tables
 NAME=firewall
 DESC="packet filter"
 
-PUBIF="{{ ansible_default_ipv4.interface }}"
+PUBIF="{{ firewall_public_interface | default(ansible_default_ipv4.interface | default('eth0')) }}"
 #PRIVATEIF=eth1
 
 case "$1" in
@@ -40,28 +40,24 @@ case "$1" in
         echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
 
 	## Protection rules
-	# SMURF attack protection
-	$IPT4 -A INPUT -p icmp -j DROP
-	$IPT4 -A INPUT -p icmp -m limit --limit 2/second -j ACCEPT
-	# Drop excessive RST packets to avoid smurf attacks
+        # Drop excessive RST packets
 	$IPT4 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
 	echo " * IPv4 protection rules : \033[32m[OK] \033[0m"
 
         # Admin chain
         $IPT4 -N ADMIN
-        $IPT4 -A ADMIN -s 51.158.69.165/32 -j ACCEPT -m comment --comment "monit.brainsys.io"
-        $IPT4 -A ADMIN -s 82.66.138.56/32  -j ACCEPT -m comment --comment "wireguard.brainsys.io"
+{% for source in firewall_admin_sources %}
+        $IPT4 -A ADMIN -s {{ source.cidr }} -j ACCEPT -m comment --comment "{{ source.comment }}"
+{% endfor %}
         echo " * Creating admin chain : \033[32m[OK] \033[0m"
 
 	# Custom rules
-        $IPT4 -A INPUT  -j ADMIN  -p udp --dport 51820 --syn -m comment --comment "admin - IPv4 wireguard"
-        #$IPT4 -A INPUT  -j ADMIN  -p tcp --dport 22    --syn -m comment --comment "admin - IPv4 ssh"
-        $IPT4 -A INPUT  -j ADMIN  -p tcp --dport 873   --syn -m comment --comment "admin - IPv4 rsync"
-        $IPT4 -A INPUT  -j ADMIN  -p tcp --dport 5666  --syn -m comment --comment "admin - IPv4 nrpe"
-        $IPT4 -A INPUT  -j ADMIN  -p tcp --dport 4949  --syn -m comment --comment "admin - IPv4 munin-node"
-        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport 22 	     -m comment --comment "IPv4 ssh"
-        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport 80 	     -m comment --comment "IPv4 http"
-        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport 443 	     -m comment --comment "IPv4 https"
+{% for rule in firewall_admin_rules_ipv4 %}
+        $IPT4 -A INPUT  -j ADMIN  -p {{ rule.proto }} --dport {{ rule.dport }}{% if rule.proto == 'tcp' %} --syn{% endif %} -m comment --comment "{{ rule.comment }}"
+{% endfor %}
+{% for port in firewall_public_tcp_ports_ipv4 %}
+        $IPT4 -A INPUT  -j ACCEPT -p tcp --dport {{ port }} -m comment --comment "IPv4 tcp/{{ port }}"
+{% endfor %}
 	echo " * Custom IPv4 rules : \033[32m[OK] \033[0m"
 
 	# REJECT everything else
@@ -95,18 +91,14 @@ case "$1" in
         echo " * Accept request & reply ICMP requests : \033[32m[OK] \033[0m"
 
         ## Protection rules
-        # SMURF attack protection
-        $IPT6 -A INPUT -p icmpv6 -j DROP
-        $IPT6 -A INPUT -p icmpv6 -m limit --limit 2/second -j ACCEPT
-        # Drop excessive RST packets to avoid smurf attacks
+        # Drop excessive RST packets
         $IPT6 -A INPUT -p tcp -m tcp --tcp-flags RST RST -m limit --limit 2/second --limit-burst 2 -j ACCEPT
         echo " * IPv6 protection rules : \033[32m[OK] \033[0m"
 
         # Custom rules
-        $IPT6 -A INPUT -j ACCEPT -p tcp --dport 80  --syn -m comment --comment "IPv6 http"
-        $IPT6 -A INPUT -j ACCEPT -p tcp --dport 443 --syn -m comment --comment "IPv6 https"
-        #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 22        -m comment --comment "IPv6 ssh"
-        #$IPT6 -A INPUT -j ACCEPT -p tcp --dport 25        -m comment --comment "IPv6 smtp"
+{% for port in firewall_public_tcp_ports_ipv6 %}
+        $IPT6 -A INPUT -j ACCEPT -p tcp --dport {{ port }} --syn -m comment --comment "IPv6 tcp/{{ port }}"
+{% endfor %}
         echo " * Custom IPv6 rules : \033[32m[OK] \033[0m"
 
         # REJECT everything else